Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Concolic Testing of JavaScript using Sparkplug

Zhe Li, Fei Xie

TL;DR

The paper tackles the inefficiency of in-situ concolic testing for JavaScript by introducing a tracing pipeline that uses the Sparkplug baseline compiler to collect native traces and Remill to lift assembly traces to LLVM IR for symbolic execution. The approach preserves the native execution environment, reduces tracing and translation overhead, and maintains a one-to-one correspondence between traces and source code by mirroring Ignition's stack frame. Evaluation on 160 Node.js libraries shows similar statement coverage to the in-situ method (within $10\%$ on average) while detecting all the same bugs but in a fraction of the time, typically around $5$ seconds per iteration versus several minutes. This work demonstrates a practical, faster pathway for concolic testing of JavaScript, with significant implications for automated bug finding and security testing in complex Node.js ecosystems.

Abstract

JavaScript is prevalent in web and server apps, handling sensitive data. JS testing methods lag behind other languages. Insitu concolic testing for JS is effective but slow and complex. Our method enhances tracing with V8 Sparkplug baseline compiler and remill libraries for assembly to LLVM IR conversion. Evaluation on 160 Node.js libraries reveals comparable coverage and bug detection in significantly less time than the in-situ method.

Concolic Testing of JavaScript using Sparkplug

TL;DR

The paper tackles the inefficiency of in-situ concolic testing for JavaScript by introducing a tracing pipeline that uses the Sparkplug baseline compiler to collect native traces and Remill to lift assembly traces to LLVM IR for symbolic execution. The approach preserves the native execution environment, reduces tracing and translation overhead, and maintains a one-to-one correspondence between traces and source code by mirroring Ignition's stack frame. Evaluation on 160 Node.js libraries shows similar statement coverage to the in-situ method (within on average) while detecting all the same bugs but in a fraction of the time, typically around seconds per iteration versus several minutes. This work demonstrates a practical, faster pathway for concolic testing of JavaScript, with significant implications for automated bug finding and security testing in complex Node.js ecosystems.

Abstract

JavaScript is prevalent in web and server apps, handling sensitive data. JS testing methods lag behind other languages. Insitu concolic testing for JS is effective but slow and complex. Our method enhances tracing with V8 Sparkplug baseline compiler and remill libraries for assembly to LLVM IR conversion. Evaluation on 160 Node.js libraries reveals comparable coverage and bug detection in significantly less time than the in-situ method.
Paper Structure (17 sections, 9 figures, 2 tables)

This paper contains 17 sections, 9 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Sparkplug
  4. Interpreter Stack Frame Mirroring
  5. Remill
  6. Approach
  7. Overview of goals
  8. Improvement
  9. Why we choose Sparkplug?
  10. Implementations
  11. Modification on Bytecode Handlers of Sparkplug
  12. Implementation on Remill translator
  13. Evaluations
  14. Coverage Analysis
  15. Bug Detection Efficiency
  16. ...and 2 more sections

Figures (9)

  • Figure 1: Sparkplug Restricted optimization feature
  • Figure 2: Workflows of In-situ Concolic Testing Based on Sparkplug and CRETE
  • Figure 3: Workflow of Execution Tracer between In-situ Approach and Our Approach
  • Figure 4: Workflow of the Translator
  • Figure 5: How the execution tracer only extracts the execution traces that contribute to the main control flow of JS scripts
  • ...and 4 more figures